How To Maintain PHP Session State With Another Application

Question

GOAL:

Maintain session state between a PHP application and a Coldfusion application which together, comprise the entire application.

CURRENT METHOD:

Upon logging into our Coldfusion application (the only way to login, i.e., cannot login via the PHP application), we are using the following JS snippet to call a remote PHP file which sets the PHP session cookies (which cannot be set via Coldfusion), and on subsequent Coldfusion page visits, refreshes the PHP session:

<script type="text/javascript">
  // Create an image.
  var imgPing = new Image();
  // Set image src to App A ping url.
  imgPing.src = "http://remotePHPApplicationURL/remoteFile.php";
</script>

This snippet is loaded on each Coldfusion page when logged in to maintain the parallel sessions.

This method works as designed if called via a non-SSL Coldfusion page, however, there are some SSL Coldfusion pages which comprise the application. When an SSL page calls this snippet, we get both an "insecure content" warning (which breaks our SSL connection), as well as an "annonymous function" error, both within the Chrome Inspector.

We've tried CFHTTP to "GET" this PHP file, but it is not setting the PHP cookies as designed. There is something that I don't understand regarding how, by using img.src, the PHP file is executed vs. using CFHTTP.

QUESTION:

Is there another, better method of calling/executing/pinging the PHP file vs. uring the img.src which seems to only work in non-SSL situations?

Here is an example of what the PHP file looks like:

<?php
  error_reporting(E_ALL & ~E_NOTICE);
  define('THIS_SCRIPT', 'index');
  define('CSRF_PROTECTION', true);

  $globaltemplates = array();       

  require_once('./global.php');

  $phpapp->session->save();
  setcookie('userid', 'uid');
  setcookie('password', 'pass');
  header("Content-Type: image/png");
?>

Answer 1

I would suggest using a SAML SSO implementation and only authenticate to the specific application when you need to, you can use a DB to cross-store simple session information as json strings. If implemented properly the experience will be seamless and will offer a scalable solution.

Answer 2

You can use CFHTTP but you have to use it like a proxy between the browser and the remote application and manually manage the cookies sent and received.

I've done this successfully to log users into phpBB from ColdFusion

The process would look something like this

1. CFHTTP to remoteFile.php
2. Inspect the returned http response and extract the cookies set by the remote app
3. use CFCOOKIE to set them in the users browser

In subsequent requests you'll need to see if the cookies sent by the app are present and if they are pass them along with the CFHTTP request in step 1 using CFTTPPARAM. Theres probably a sessionid or similar cookie set by the app, this needs to be sent to maintain the session.

Answer 3

Hopefully I am wrong, but I can't think of a solution. I do, however, have some insight as to why a solution will be difficult to come by which will hopefully be helpful.

CFHTTP won't work because it is the ColdFusion server, not the user's browser, that is calling the PHP page. So, the ColdFusion server has a session, but the user's computer does not.

There are plenty of ways to call files from within the browser (you could call it from an IMG tag, a CFSCRIPT tag, an IFRAME, an image object...), but they all run into the same issue - namely that the browser will issue a warning if you are calling a non-SSL file from an SSL page.

So, maintaining a PHP session from ColdFusion across SSL where SSL is not available on the PHP server may not be possible without a warning in the browser (though, of course, I would love to be proved wrong about this).

What might work, depending on your needs, is to make any link from your server to the PHP server send a form post to the PHP server including the login information so that they are automatically logged in as they go to visit that third party site. I don't know if that would work for your situation, but I thought I would toss it out there.

The main point, however, is to look for another path to your objective other than maintaining the session on each page request of your ColdFusion application.